2. Relevant releases:

NOTES: Users of VMware hosted products VMware Workstation 5.x, VMware Player 1.x, and VMware ACE 1.x should note that although they are not vulnerable to these issue, they will reach their end of general support on 2008-11-09. Customers should plan to upgrade to the latest version of their respective products.

A heap buffer overflow condition is present in VMware HGFS. Exploitation of this flaw might allow an unprivileged guest process to execute code in the context of the vmx process on the host.

In order to exploit this vulnerability, the VMware system must have at least one folder shared. Two things must happen for a folder to be shared. 1) Shared folders must be enabled, and 2) a folder must be selected from the host system to be shared. No folders are shared by default in any version of our products, which means this vulnerability is not exploitable by default. Workstation 6.x, Player 2.x, and ACE 2.x have shared folders disabled by default.

VMware Server, ESX and ESXi do not provide the shared folders feature. Because there is no back-end for the HGFS protocol on the virtualization host, these products are architecturally immune to this issue.

This issue might not be exploitable on host operating systems which have implemented heap protection.

VMware would like to thank Andrew Honig of the Department of Defense for reporting this issue.

The Common Vulnerabilities and exposures project (cve.mitre.org) has assigned the name CVE-2008-2098 to this issue.

b. Windows based VMCI arbitrary code execution vulnerabilityVMCI was introduced in VMware Workstation 6.0, VMware Player 2.0, and VMware ACE 2.0. It is an experimental, optional feature that allows virtual machines to communicate with one another.

With VMCI enabled a guest may execute arbitrary code in the context of the vmx process on the host. This is a compiler dependent vulnerability and only affects systems running on windows hosts.

VMware would like to thank Andrew Honig of the Department of Defense for reporting this issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-2099 to this issues.